Skip main navigation

NIST SP800-115

NIST's technical guide.
© Coventry University. CC BY-NC 4.0

The Technical Guide to Information Security Testing and Assessment (also known by the catchy title NIST SP800-115) was published by the National Institute of Standard and Technology (NIST) in 2008.

It provides a relatively high-level overview for designing, implementing and maintaining technical information security test and examination processes and procedures. It is aimed at supporting organisations in planning and executing tests in finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements.

The guide describes three main methods of assessment:

  • Testing – executing technical tests on the target networks and systems
  • Examination – the main non-technical assessment process of checking, inspecting, reviewing, observing, studying or analysing
  • Interviews – another non-technical assessment method described as a process of conducting discussions with individuals or groups within an organisation to facilitate understanding, achieve clarification, or identify the location of evidence

NIST SP800-115 divides a security assessment project into three phases:

  • Planning covers the initial stages of the project, such as information gathering, asset identification and threat modelling
  • Execution mainly focuses on finding system, network and organisational process vulnerabilities
  • Post-execution covers the assessment of the vulnerabilities found earlier, and their impact

The reason we have included this methodology in our list is that it provides a good discussion on the non-technical examination of the security posture of an organisation.

There are cases where we cannot simulate the target systems realistically enough and running full simulated attacks on the live production’s systems is not an option either, eg in critical infrastructure, medical environments, etc. In those environments, being able to run a non-technical examination is particularly important. This approach is also useful when verifying compliance with required standards and policies.

Reference

National Institute of Standard and Technology (2008) NIST SP800-115 [online] available from https://csrc.nist.gov/publications/detail/sp/800-115/final [11 April 2019]

© Coventry University. CC BY-NC 4.0
This article is from the free online

Ethical Hacking: An Introduction

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education